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Abstract 

Since the complexity of software systems continues to grow, most engineers face two serious 
problems: the state space explosion problem and the problem of how to debug systems. In this pa- 
per, we propose a game-theoretic approach to full branching time model checking on three-valued 
semantics. The three-valued models and logics provide successful abstraction that overcomes the 
state space explosion problem. The game style model checking that generates counterexamples can 
guide refinement or identify validated formulas, which solves the system debugging problem. Fur- 
thermore, output of our game style method will give significant information to engineers in detecting 
where errors have occurred and what the causes of the errors are. 


1 Introduction 

Model checking is a major technique for verifying finite state systems [5]. The procedure normally uses 
an exhaustive search of the state space of the system to determine whether some specification is satisfied 
or not. Given sufficient resources, the procedure will always terminate with a yes/no answer. Since the 
size of a given system (concrete model) is usually very large, the state explosion problem may occur in 
model checking such a model. Abstraction as an indispensable means to reduce the state space makes 
model checking feasible [4, 5]. The traditional abstraction method uses two- valued semantics. It brings 
about two kinds of situations: under-approximation and over-approximation. In under-approximation, 
the abstract model exhibits behavior that exists in the concrete model but may miss some of its behavior. 
On the other hand, over-approximation may bring in additional behavior that does not exist in the con- 
crete model. Unfortunately both of these two-valued abstractions have the unsoundness problem. That is 
for every existential property satisfied by an under-approximate model also holds in the concrete model 
but universal properties (for example safety) do not necessarily hold, and for every universal property 
satisfied by an over- approximate model also holds in the concrete model but existential properties (for 
example liveness) do not necessarily hold. Such unsoundness makes abstraction less useful and the state 
space explosion problem still remains. In the past ten years, three-valued models and logics have been 
studied. The main benefit of this approach is that both universal and existential properties are guaran- 
teed to be sound. The three-valued semantics evaluates a formula to either true, false or an indefinite 
value as the third value. In Kleene’s strongest regular three-valued propositional logic, the third value is 
understood as unknown that means it can take either true ox false. The three- valued models, or modal 
transition systems, contain may-transitions which over-approximate transitions of the concrete model, 
and mnst-transitions which under- approximate transitions of the concrete model. To ensure logical con- 
sistency, truth of universal formulas is then examined over may-transitions, whereas truth of existential 
formulas is examined over mnst-transitions. We follow this approach. 

Full branching time logic CTL* as an expressive fragment [6, 2, 5] of jt -calculus can describe prop- 
erties in computation trees. There has been much work on model checking for sublogic of CTL* such as 
LTL and CTL [1 1, 3], but little on CTL*. This paper introduces ideas for full branching time temporal 
logic CTL*. 

There are several approaches to studying computations: computational model approach, algebraic 
approach, logical approach and game-theoretic approach. In the field of model checking, one uses the 


E. Denney, D. Giannakopoulou, C.S. Pasareanu (eds.) ; The First NASA Formal Methods Symposium, pp. 26-35 


26 



Game-based Approach to Abstract-Check-Refine 


Yi Wang and Tetsuo Tamai 


logical approach to capture temporal ordering of events, the algebraic approach to model examined sys- 
tems, and the computational model approach and the game-theoretic approach to do model checking. A 
typical model checking approach is the automata-theoretic approach. Kupferman, Vardi and Wolper have 
shown how to solve the model checking problem for branching time by using alternating automata [9]. 
In their approach the model checking problem is reduced to a non-emptiness checking problem of the 
alternating automaton composed as a product between a Kripke structure and an automaton expressing 
the interesting property. The game-theoretic approach to model checking can also be viewed as simu- 
lating alternating automata [10, 12]. Their winning conditions correspond to a special Rabin acceptance 
condition of the automata approach. In contrast to the automata-theoretic model checking approach it is 
not necessary to compose automata for the properties. 

Related Work. Martin Lange and Colin Stirling proposed Model checking games for CTL* in [10]. 
They described a two-player CTL* focus game for Kripke structure on Boolean semantics. We pro- 
pose a generalization of the two-player game for Modal Transition System on three-valued seman- 
tics. There were many papers of three-valued abstraction that proposed by Godefroid, Jagadeesan and 
Bruns [1, 7, 8]. They showed advantages of three-valued models. In this paper, we not only discuss 
advantages of three-valued models but also analyze the returning information for debugging, proving 
or refining such models. Sharon Shoham and Orna Grumberg proposed muti-valued games for u- 
calculus [12]. We investigate games for CTL* which is the most expressive fragment of u -calculus. 
To sum up, the contribution of this paper are: (1) new game-based approach to three- valued model 
checking, (2) new game-based algorithm showing winning strategy of each player for solving the game, 
(3) new analysis based on focus game for debugging, proving or refining abstract models. 


2 Preliminaries 

We introduce key notions behind the framework of abstraction and model checking. Let AP be a finite 
set of atomic propositions. We define that an atomic proposition p is in AP if and only if its negation ~>p 
is in AP. In the rest of this paper we suppose that all models, both abstract and concrete, share the set 
AP. 

The full branching time logic CTL* formulas are composed of propositions, negation. Boolean connec- 
tives, path quantifiers and temporal operators. 

Definition 1 (Syntax of CTL*) There are two types of formulas in CTL*: state formulas and path 
formulas. The syntax of state formulas is given by the following rules: 

If p is an atomic proposition, then p is a state formula. 

If yq and y /2 are state formulas, then -iy/i, yq V y /2 and y t\ A y/? are state formulas. 

If y/ is a path formula, then Ey/ and Ay / are state formulas. 

If y/ is a state formula, then y/ is also a path formula. 

If y/| , y/ 2 are path formulas then ->y f\ , y/j V y/ 2 , yfi A y/ 2 ,Xy/i . F y/| , Gy t\ , y/jUyA, and yq Ryq 
are path formulas. 

The F, G temporal operators can be replaced with U,R operators by rules: Fy/ = true Uy/, Gy/ = 
false Ry/. The set of subformulas Sub(cp) for a given <p is defined in the usual way, except that 

- Sub((p\Jy /) {ytUy/,X(y)Uy/),y>AX(<pUy/),y/V (<p AX((pUy/))}USub((p) USub(y/), 

- Sub(tpRi/s ) := {(pRi//,X (tpRi//) , (p V X (tpRy/) , 1 // A (tp V X (cpRi//))} u Sub((p) U Sub(i//) . 

We consider that every CTL* formula begins with a path quantifier “A” to ensure that it is a state for- 
mula. The following semantics of CTL* shows that this is not a restriction because of the equivalence 
QiG2<P = Q 2 V for Q\,Q 2 e {A,E}. 

Definition 2 (Semantics of CTL*) Suppose that n 1 denotes the suffix ofn starting at Sj. Let y/ be CTL* 
formula and M be a model. If y/ is a state formula, the notation M,s\= \j/ means that y/ holds at state s 
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in model M. Similarly, if iff is a path formula, M,n\= y means that y holds along path n in model M. 
The relation |= is defined inductively as follows (assuming that yi and y 2 are state formulas and t \/\ and 
t are path formulas): 


M,s\=p <=> p£L(s). 

M,s |= y { Vy 2 M,s \= yi or M,s f== y 2- 
M,s\= Li//j there is a path n from s 
such that M, n \= y[ . 

<£=> 5 is the first state of n 
and M,s \= y\. 

M, n \= y[ A yf •<=> M, n \= y[ and M,jc\= y 2 . 
M,n\=¥y[ there exists a k > 0 

such that M, n k |= y[ . 

M, n\= y'\¥y' 2 4=4- for all j > 0, if for every i < j 
M, n‘ y[ then M, n j \= yf 


M,s\= -'t/fi <==> M.s \f yc 
M,s \=yi/\y 2 M,s |=» y x and M,s f= y 2 . 
M.s |= Ay[ -<==>• for every path n starting 
from s,M,n\=y[. 

M,n\=->y[ M,%\f=y\. 

M,n\= y[\/ y' 2 M, n \= y[ or M, n jfc= y/i 
M,k\= Xy[ •<=> M, 7 r 1 1 = y[. 

M, n j= Gy[ •<=> for all i > 0, M, 7l‘ |= y[ . 
M,n\= y'fjy'-, •<=> there exists a k > 0 such that 
M . Jt k \~ and for all 
0 < j <k,M, 7 1 ' \= y[ . 


Consider that every concrete model is given as a Kripke structure (KS for short) over AP, denoted by 
M c . A KS is four tuple ( S C ,S^,R C ,L C ) where S c is a finite set of states. .S') 1 C S r is the set of initial states. 
R, C S c x S c is a transition relation that must be total, that is, for every state ,s r £ S c there is a state s' £ S c 
such that s c —> s’ c £ R c . L, : S c — ► 2 AP is a labeling function such that for every state s and every p £ AP, 
p £ L c (s) iff -i/7 ^ L c (s). [M c f= <p] = tt (= ff) or M c \= (p (M c \f= <p) means that M c satisfies (refutes) the 
CTL* formula <p. 

An abstraction (S a , y) for S c consists of a finite set of abstract states S a and a total concretization 
function y : S a — > 2 s • that maps each abstract state to the (nonempty) set of concrete states it represents. 
The function a : 2 s • — > S a as the inverse of 7 is said to be abstraction function. An abstract model M a 
is said to be on two-valued semantics if it is a KS model. An abstract model is said to be on three- 
valued semantics if it is a Modal Transition System (MTS) model [1, 7, 8]. MTSs contain two types of 
transitions: may-transitions and mas/- transitions. 

Definition 3 A Modal Transition System M a over AP is a tuple ( S a ,S^,R ma y,R must ,L a ), where S a is a 
nonempty finite set of states, S® C S a is the set of initial states, R may C S a x S a and R mus t Q S a x S a are 
transition relations such that R mus t C R may . L a : S a —> 2 AP . 

R may is the set of all possible transitions and R must is the set of all inevitable transitions. Note that 
Rmust Q Rma y , because all inevitable transitions are possible transitions. Consider a concrete KS M c and 
an abstract MTS M a of M c . Let ( S a . 7) be the three-valued abstraction between M, and M a . Labelings in 
each state in S a are constructed by the following rules: 


p £ L c (s) A-ip £ L c (s’) p £ L c (s) A p £ L c (s’) 1/7 € L c (s) A -77 € L c (s') 

P^L a (s a ) P 6 L a {s a ) -'PeL a (s a ) 

where s,s' £ y( s a ) . Note that it is possible that neither p nor -77 is in L a (s a ) though either p or ->p must 
be in L c (s c ). After state abstraction, transitions in M a can be constructed by using the following rules: 

3s 1 e y(s a ) , 3 s 2 e 7(4) : Si — > s 2 Vsi € 7(s fl ), 3 s 2 £ y(s(J : si s 2 

may . must , 

C V c' C V c' 


Other constructions of abstract models are based on Galois connections, which can be found in [7]. 
The three-valued semantics of CTL* over MTSs, denoted [M |= 3 (p\, preserving both satisfaction and 
refutation from the abstract model M a to the concrete model M c . However, a new truth value (the third 
value unknown), denoted by _L, is introduced meaning that the truth value over the concrete model is not 
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Figure 1 : Example of Three- Valued Abstraction 


known that can either be the truth value true or false. 

Example 4 Let AP — {p,-ip,v,~ ’v}. Figure 1 shows a concrete KS model M c (left) and its abstract 
MTS model M a (right). Let (S a ,y) be an (three-valued) abstraction, where S a — { .so . .V2 . .V3 4 . .v 157 , .Vf, } 
and y(s 0 ) = {sq}; y(s 2 ) » {s 2 }; 7(53,4) = {53,54}; 7(51,5,7) « {51,55,57}; 7 (^) - {^}- 


3 Generalization of Focus Game 

Model checking games for CTL* over two- valued models are two-player games, called focus game , 
which is proposed by Lange and Stirling [ 10 ]. There are two players in the focus game : the first player 
V and the second player 3 . V’s task is to show that a formula is unsatisfied, while 3 ’s task is to show the 
converse. In the two-player focus game, the set of configurations for a model (system) M and a formula (p, 
written in CTL*, is conf(M , (p) — {V, 3 , _L} x Sx Sub((p) x 2 Sub ( (f, \ A configuration is written p,s , [i//],<F 
where p is a player called the path player, s €E .S', \jf G Sub(<p) and <I> C Sub( tp). Here y/ is said to be in 
focus and <f> are called side formulas. If p denotes a player then p denotes the other one in any round. A 
play between player p and p is a sequence of configurations. There are eighteen rules of the form 


jWgjj // 

p',s, 

for transforming configurations, where p,p' ,p" G {V, 3 , _L} denote players. We follow these definitions 
and propose a three-player game for evaluating a CTL* formula (p on an abstract MTS model M a with 
respect to three-valued semantics. We generalize the game by inserting a new player (the third player) ± 
and setting the game played in two rounds. Without loss of generality, we match V vs. ± in the first round 
and 3 vs. J_ in the second round. We define that V wins the game if V wins the first round; 3 wins the 
game if 3 wins the second round; _L wins the game if _L wins both rounds. At each configuration the set 
of side formulas together with the formula in focus can be understood as a disjunction(resp. conjunction) 
of formulas in case the path player is V(resp. ±) in the first round, _L(resp. 3 ) in the second round. 

A play for model M with starting state s and a formula begins with the configuration V, s, [<p] in the 
first round and with the configuration _L,s, [<p] in the second round. There are eighteen rules in the two- 
player focus game. 

Path-chosen rules : Discarding rules ; 

,^P,s,[E(P],® ,^P,s,[<P},QW,® - - 

(1) ^>r (2) ^TST (3> p (4) 73MT p 
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Boolean-connection rules : 

V,5,[<p 0 A<pi],<f> V,5,[<poV(pi],<f> 

1 J [ ' V, 5, M, ?!-/,* 

Unfolding rules : 

/M,[<pUy],g> 

/?,5,[V / V(<pAX((pUt//))],4> 

Progress rules : 

V^,[ x y/],(poA<pi,<b V,5,[Xy/],<poV(pi,<b 

V,J, [Xt/r], <p r ,<E> ’ y,s,[X\ir],<po,(p h <f> 


3,5, [<PoV<Pi],<f> 3,5, [<ppA<pi],4> 

1 J 3,5, [q>j],& [ J 3, 5 , 


p,s,[(pR\if],<t> 

P,5, [V^A (<p VX(<pRy/))],<E> 


(13) 3A,[Xy/],(P oV <?h < & 3(i 1 ) 3,5,[ x y],(p oA (p h c b 

3,5, [Xt//], <p,-,<I> 3,5 ,[Xv/],<Po,<Pi,<I> 


(15) /A^[X^],<pUy,<f> (16) F>A,[Xx],(pRt/r,<f> 

P,5, [X^], t//V (<p AX(<pUy/)),<E> p,5,[X£],y/A(<pVX((pRy/)),<f> 

To apply our three-player game, we restrict moves for different players. Since transitions may take place 
only in configurations with subformulas of the form Xy/, it is the only case where the rule (17) need to 
be applied to may-transitions and must- transitions. 

V and 3 move on mM5/- transitions: ± moves on may transitions: 


(17a 


p ,s, [X<p 0 ] , X<p, , • • • , X(p k p€{ ^ 3} s must t {llb) 


_L,5, [X(Po],X<P! , • 


p,t,[(po\,(pu--- ,(pk 


_L,r, [cpo], <Pt, • • • ,(Pk 


,X(Pk may 
J_, 5 — 5* t 


The special rule (Change focus) 

p,s,[\i/],(p,<i> 

A move in a play consists of two steps. First the path player and the focus determines which of the 
rules (1) - (17a) or (1) - (17b) apply, and hence which player makes the next choice. After that the path 
player’s opponent has the chance to reset the focus by using rule (18). A play is finished after a full move 
if it has reached one of the following configurations (finish conditions). 

1. p,s, [?],<!>. 

2. C — 3,5, [<pUt//],<f> after the play already went through C and V never applied (18) in between. 

3 . C — V, 5, [<pRy/] , cf> after the play already went through C and 3 never applied (18) in between. 

4. p,s, [rp].<T> for the second time possibly using rule (18) in between. 

6. V, 5, [Xt//],X<pi, • • • ,X(pk and the rule (17a) can not be applied. 

7. 3,5, [Xy/],X(pi, ■ ■ ■ ,X(pk and the rule (17a) can not be applied. 

The winning criteria for three-player game are: 

If the rule (17b) has been applied in a play and the play ends with one of the above finish conditions then 
_L wins, else 

In the first round (V vs. J_) 

1. When a play ends with the first finish condition, V wins if -> q € L(s), otherwise ± wins. 

2. When a play ends with the second finish condition, V wins. 

3. When a play ends with the third finish condition, _L wins. 

4. When a play ends with the fourth finish condition, the path player p wins if the second 
or the third finish condition does not apply. 

5. Whenever a play ends with the fifth or the sixth finish condition, _L wins. 

In the second round (3 vs. J_) 


30 



Game-based Approach to Abstract-Check-Refine 


Yi Wang and Tetsuo Tamai 


1. When a play ends with the first finish condition, 3 wins if q € L(s), otherwise A wins. 

2. When a play ends with the second finish condition, A wins. 

3. When a play ends with the third finish condition, 3 wins. 

4. When a play ends with the fourth finish condition, the path player p wins if the second 
or the third finish condition does not apply. 

5. Whenever a play ends with the fifth or the sixth finish condition, A wins. 

The second round of the game is not always played. It is played if A wins the first round, else the game 
is over and V wins the game. Note that the game on three-valued semantics is an unfair game. Players V 
and 3 cannot move on all may-transitions whereas A can move. 

Let r ctl“ ( M,s , <p) be a game over M for a CTL* formula (p. A game Tctl* (M , s, (p) can be described as 
trees of all possible plays. 

Definition 5 A (game) tree is said to be a winning tree for player p, if p wins every branch (play) in it. 
We say that the player p wins or has a winning strategy for Tctl*{M,s, (p) if p can force every play into 
a configuration that makes p win the play. A player p wins a round if p wins all possible plays in that 
round. 

Example 6 Let (p = A X(p) V EF(v ) be a property that we want to check. Let M a be the abstract model 
given in figure 1 . We show that A wins the game (A wins both rounds) with the following winning trees. 

The first round. The second round. 


Vao ,[<P] 

Mo, [AX(p)\,EF(v) Mo, [EF(v)],AX(p) 
Mo, MM)] -Lao, [f (v)] 

Mo,[-M)] A, jo, [vVXF(v)] 

V,J 3 .4,Lp] A ,s 0 ,[XF(vj\ 

-Ml, 5, 7, [MO] 

-Mi,5,7,[vVXF(v)] 

-Ml, 5, 7, [v] 


-Mo,[<P] 

A, Jo, [AX(p)],EF(v) A, JQ, [EF{v)],AX{p) 
±,s 0 ,[EF(v)],AX(p) Mo, MO] 

Mo, [v VXF(v)] 
Mo, [XF(v)] 
Myy, MQ] 
Mi,5,7,[vV-XMQ] 
Ml, 5, 7, [v] 


4 Game-Based Algorithm 


In the rest of this paper we assume that M c , as a Kripke structure, represents a given concrete model 
and M a , a Modal Transition System, denotes the abstract model of M c . Let (p be a CTL* formula that 
represents the property we are interested in and Tctl* ( M a ,s , (p) be the three-player model checking game 
on the abstract MTS M a . 

We propose a game-based model checking algorithm, called Mark Configuration, for solving the 
game. Mark Configuration marks every configuration with one of symbols {V, 3, A} in each round. 
Let C = p,s, [<p] be the starting configuration. Mark Configuration runs recursively and finally marks 
the starting configuration C with one of the three symbols. 


Mark Configuration (the 1st round) 

1 . BEGIN Mark(C) 

2. INITIAL : history = 0 ; 

3.1 IF (p = Ay/ THEN Mark(V,j, [yr]) 

3.2 ELSE IF <p=£t// THEN Mark(A,s,[y/]) 

3.3 ELSE 

3.4 SWITCH (<p) 

3.5 CASE 1- CASE 6; 

4. END 


Mark Configuration (the 2st round) 

1 . BEGIN Mark(C) 

2. INITIAL : history = 0 ; 

3.1 IF (p — Ax)/ THEN Mark(A,5, [y/]) 

3.2 ELSE IF cp = THEN Mark(3,5, [y/]) 

3.3 ELSE 

3.4 SWITCH (<p) 

3.5 CASE 1- CASE 6; 

4. END 
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From the syntax of CTL*, six types of formula <p can be considered when it is neither started by A nor 
E. That is <p = q | yfi A y/ 2 | W\ V yr 2 | Xy/ | i//| U y/ 2 \f/\ Ry/. Each of them corresponds to one case in this 
algorithm. When the focus formula (p is q, i//| A y / 2 or \ f/\ V y/ 2 , the configuration C’s mark is decided by 
its children’s marks. Let C\ . C( be configurations with subformula i//| . y/ 2 , respectively. We represents 
case 1 - 3 as follows. 

1 . C — p,s , [ q ] (where p e {V, 3, ±}) 

If p wins in C then return p else return 72; 

2. C = p,s, [yfiAy/ 2] (where p e {V,3,_L}). 

if Mark(Cj ) = 3 and Mark(C() = 3 then return 3; 
if Mark(Cj ) = V or Mark(C() = V then return V; 

if Mark(Cj) = 3 and Mark(C() = J_ or Mark(Cj) = _L and Mark(C^) «= 3 then return _L; 

3. C — p,s, [y/\ V yr 2 ] (where p e {V,3,_L}). 

if Mark(Cj ) = V and Mark(C() s= V then return V; 
if Mark(C' 1 ) = 3 or \Iark(C() = 3 then return 3; 

if Mark(Cj) = V and Mark(C() = 3_ or Mark(Cj) = J_ and Mark(C2) *= V then return _L; 

The function must-next ( may-next ) is assumed to calculate all possible successors of a configuration by 
one move from rules 17a (17b). The configuration C’s mark in case (p =X if/ is determined not just by 
its children’s marks but also by who the current player is and which the current round is. We distinguish 
different players in different rounds. The case 4 is as follows. 

4a. C = V, s, [X y] (1st round) or ±,5, [Xy/] (2nd round). 

if there is a C' € must-next(C ) and Mark(C') - V then return V; if for all C € must-next(C ): 
Mark(C') = 3 then return 3; if there is C' € may-next(C ): Mark(C') = _L and for any other C" & 
may-next(C ): Mark(C") = 3 or Mark ( C" ) — A. then return _L; 

4b. C = J_,j, [Yt/r] (1st round) or 3,5, [Xy/] (2nd round). 

if for all C' 6 may-next(C) : Mark(C') — V then return V; if there is a C' <E must-next(C ) and 
Mark(C') = 3 then return 3; if there i s a C A may-next(C) and Mark(C') = _L and for any other 
C" € may-next(C): Mark(C") = V or Mark(C") = A. then return _L; 


To determine the configuration C’s mark in case <p =? \f/\ U i//o and case <p — 1//] R 1//. first we should look 
for who is the path player in C. Next we check whether C is the starting configuration of a loop. The 
variable history is used in recording checked configurations in loops on any path. The case 5, 6 are as 
follows. 


5a. C = p,s, [t/ZiUy/s]- 

(where p — V in 1st round, p — ± in 2nd round) 
if C € history then marks all C € history with p; 
history := 0; return 72; 
else history {C}U history, 

Mark(p,s, [y h V (y/i AZy/iUy/ 2 )]); 


5b. C = p,s, [yfiUy/ 2 ] 

(where 72 = A. in 1 st round, 72 = 3 in 2nd round) 
if C € history’ then marks all C' € history with 72; 
history := 0; return 72; 
else history {C}U history, 

Mark( 72 , 5 , [y/ 2 V (y/i AYy/iUyr 2 )]); 


6a. C = p,s, [y/iRy/2] 

(where 72 = V in 1st round, p — X in 2nd round) 
if C € history then marks all C' 6 history with 72; 
history := 0; return 72; 
else history {C}U history, 

Mark(7 j,s, [yr 2 A (y/i VZy/jRy/j)]); 


6b. C = p,s, [yfiRyc] 

(where 72 = ± in 1 st round, 72 = 3 in 2nd round) 
if C € history then marks all C' € history with 72; 
history 0 ; return 72; 
else history {C}U history, 

Mark( 72 , 5 , [y/ 2 A (y/i VX^Ry^)]); 
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Proposition 7 (Terminating) The algorithm Mark Configuration always terminates. 

Proof. The total number of all configuration can be calculated as \S\ ■ 2 (p . Every configuration is marked 
by Mark Configuration only once. □ 

Proposition 8 Assume that Mark Configuration marks all configurations in the graph ofYcri* ( M a ,s , (p ). 
The following two statements hold. 

1. Every configuration C is marked with one of\/, 3, 

2. If a configuration C is marked with p G {V,3, J_} then p wins the (sub) game ofYcTL*(M a: s,(p ) 
that is started from C. 

Proof. The first statement follows from the fact that every case in Mark Configuration marks configu- 
rations with one symbol and each case corresponds to one syntax element of the focus formula in C. 

We show the second statement by the induction on structure of game tree that rooted by C. Without loss 
of generality, assume that p G {V,3,_L} wins a game. When any winning tree of p consists of a single 
configuration, since the case 1 can be applied, C is marked with the symbol p. When any winning tree 
of p consists of an infinite sequence, in which the configuration C appears infinitely often, the focus 
formula of C must be either of the form iff] U y/o or yqRy/?. Suppose that the focus formula is U-formula 
and C is marked with V or _L. According to the case 5a or case 5b, V or _L wins, since y/o never holds. 
Suppose that the focus formula is R-formula and C is marked with 3 or _L. According to the case 6a or 
case 6b, 3 or _L wins, since \j /2 always holds. For any other structure of the game tree, there is at least a 
next configuration C 1 as a child of C that is marked with p. According to the remaining cases in Mark 
Configuration, C’s mark is decided by the mark of C' in each corresponding case. By the induction 
hypothesis, C' is marked with p and it is deduced that p wins the game started by C. □ 

Proposition 9 Consider a game has been marked by Mark Configuration. Let C s be the starting 
configuration marked with x{& {V,3,_L}). For any configuration Cj, if Cj is marked with X and may- 
next( Cj) ^ 0 then there is at least one configuration Cj such that Cj G may-next( C,) and Cj is marked 
with X- 


Proof. This follows from the observation that the Mark Configuration recursively marks every con- 
figuration depending on the marks of its child vertices. The starting configuration is guaranteed to be 
marked eventually by the exhaustiveness of the search. □ 


Lemma 10 The following statements hold. 

1. Every play terminates. 

2. Every play has a uniquely determined winner. 

3. item For every round ofYcrufMcS^tp) one of the players has a winning strategy. 

4. One player wins the game iff the other players do not win. 


Proof. Lange and Stirling [10] showed that these four statements hold in two-player games. In Ycti,- (M a .s. <p), 
each round can be seen as a two-player game with more constraints. In particular, rules (17a) and (17b) 
do not introduce new moves to every player. Therefore, these four statements hold in each round, which 
derives this lemma. □ 


Theorem 11 (Soundness) 

1. V wins Y C TL*(M ai s , (p) 

2. 3 wins Y C TL*{M„,s,(p) 

3. ± wins Y C tl * (M a ,s, (p) 


M c (p. 

M c (= <p. 

both M c |= (p and M c ^ (p are possible. 
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Proof. We now show the statement 1 (statement 2). Every play in V’s (3’s) winning tree terminates either 
in a loop or at a terminating configuration. If it terminates in a loop then there exists a configuration 
appearing twice and during the loop _L (3) cannot (can) win with the finish condition 2 or 4 (3 or 4). 
Otherwise it terminates at a configuration in which V (3) wins with the finish condition 1 . According to 
our constraint and winning criteria, the rule (17b) cannot be applied in whole V’s (3’s) winning tree. It 
implies that all plays in winning tree are based on must - transition in M a . Therefore, V (3) can also win 
on the model M c . That is M c \f tp (M c [= tp). 

We show the statement 3. _L has winning trees for both rounds. There must be a play that either terminates 
at a terminating configuration, or uses the rule (17b) that is based on a transition in R may — P m ust of M a . 
Suppose it terminates at a configuration, denoted by p,s a , [r/J . <f>. with finish condition 1. According to 
abstraction, there are two states s c ,s' c € y{s a ) such that q € L c {s c ) and ->q € L c (s' c ), or -<q € L c (s c ) and 
q € L c (s' c ). Hence, both V wins in M c and 3 wins in M, are possible. Information is not sufficient to show 
M c |= (p or M c tp . 

1. emma 12 The following two statements hold. 

1 • M c |= (p => [M a |= 3 tp] = tt or [M a |= 3 tp] = _L. 

2. M c \f= tp =>• [M a |= 3 <p] — ff or [M a |= 3 <p] — _L. 

Proof. By the tree-valued abstraction, they are trivial. □ 

Lemma 13 The following three statements hold. 

1. [M a |= 3 <p\ — tt => 3 wins r C TL*{M a ,s,<p). 

2. [M a |= 3 tp] — ff => V wins T C tl * ( M a ,s , tp). 

3. [M a |= 3 tp] — ± => -L wins Y C TL*{M a ,s,(p). 

Proof. We show a winning strategy based on Mark Configuration for each player p 6 {V,3,_L}. As- 
sume that Mark Configuration has been applied in the game YcTL*{M a ,s, (p). Let p 6 {V, 3, _L} be a 
player and C be the current configuration. It does not matter whether p is the path player in C or not. 
Since _L can play 3’s role in the first round and can play V’s role in the second round, we distinguish _L 
from other players. 

V’s and 3’s winning strategies: If there is a next configuration C' of C such that C' is marked with symbol 
p, then select C' by using one of rules 1-16, 17a or 18; Else do nothing. 

_L’s winning strategy: If there is a next configuration C' of C such that C' is not marked with the mark of 
J_’s opponent, then select C' by using one of rules 1-16, 17b or 18; Else do nothing. 

We use Proposition 8, 9 to prove that such strategy is a winning strategy for each corresponding player. 
Proposition 8 shows that a player p wins the game Vcti. ( M a ,s , <p) if the starting configuration is marked 
with p. Proposition 9 shows that for any configuration C marked with symbol p, there is a C' such that 
C' is a next configuration of C and it is also marked with p. By the definition of each player’s task, we 
have 3 wins if [M a |= 3 tp] — tt, V wins if [M a |= 3 tp] — ff, _!_ wins if [M a |= 3 <p] — _L. □ 

Theorem 14 (Completeness) 

- M c (= (p => 3 wins YcTu(M a ,s.(p) or Y wins. 

-Mc^tp =>• V wins YcTL*(M a ,s.(p) or T wins. 

Proof. It directly follows from the Lemma 12 and 13. □ 

Refinement issues. The main advantage of game-based model checking approach is availability of more 
precise debugging information on the examined system. Using games is not necessary to create an addi- 
tional debugger, because the game-based approach annotates each state on the proofs/counterexamples 
or refinements with a sub-formula of the interesting temporal formula tp that is true/ false or unknown in 
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that state. The annotating sub-formulas being true/false or unknown in the respective states, provide the 
reason for <p to be true/false or unknown. By analyzing such information we can figure out where errors 
have occurred and what the causes of the errors are. 

Complexity issues. The best currently known complexity for CTL* model checking is in PSPACE time. 
So is our algorithm. Let all sub-games are started from formula Ay/ or E y/. Mark Configuration can be 
applied in every sub-tree in each round. There are at most |S| • cp | / 2 sub-games. Mark Configuration 
might have to be invoked |S| • \<p\/2 times. After a sub-game, the space it needs can be released. Thus 
the algorithm for each round as a two-player game costs PSPACE time. The total complexity is the same 
class as the complexity of a round. 

Conclusions. We presented two problems in the beginning of this paper: the state space explosion 
problem and the system debugging problem. To overcome both of these problems, we proposed an 
game-based approach by combining several powerful techniques: abstraction, refinement and three- 
valued logic. The abstraction on three-valued semantics was used to overcome the first problem. The 
analysis of the game-based model checking was used to solve the second problem. We also proposed a 
game-based algorithm for model checking, and proved its termination, soundness and completeness. 
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